Chrome browser will flag all HTTP connections as unsafe

In the 56th version of the Chrome browser, browsing the web will become more secure. Any site that sends passwords and credit card data via HTTP will be marked as insecure by the browser. At the same time, the introduction of such a measure is only the first step of Google in improving the level of security when working with HTTP-sites.

Google will begin to fight more actively for the security of user data. Starting in July, the Google Chrome browser enjoys 56% of the world’s Internet users will mark all sites that do not support the transfer of data via the HTTPS protocol as “unsafe”. This became known from the blog post of product security manager Emily Shelter. Changes will take effect with the release of Chrome 68 on all platforms. Now sites with HTTP are accompanied by a neutral icon, and resources with HTTPS have a green icon with a lock that indicates the protection of the connection.

In the browser, the innovation will look like this:

Implementing HTTPS is important in order to encrypt the transfer of data between you and the site. Thanks to this protocol, no one else (for example, a third-party user of the same Wi-Fi network or provider) will be able to spy on your actions. The absence of HTTPS makes it easy to steal personal data and infect your device with malware.

To make it easier for developers to upgrade to a new standard, Google also advises taking advantage tool Lighthouse, which provides an automatic audit of pages on the URL. In turn, the distribution of free safety certificates is the project Let’s Encrypt.

Since July, even static HTML pages that do not collect any data will be marked as not secure, simply because they are not on HTTPS. Obviously, we all expected that this would happen, and this moment came. This mark obviously affects the trust of users who use Chrome. Such sites will not go down in Google’s search results. But if the user in the Chrome browser and visit the page on HTTP, Google Chrome will mark it as “unsafe”.

Google has recently forced webmasters to migrate to HTTPS, these efforts have already been crowned with some success, 81 of the top 100 Google sites use HTTPS at the moment. Recall, at the end of 2014, the Google Chrome team reported that it will begin flagging sites that use the HTTP protocol as unsafe.

Logically, most users do not know the difference between HTTPS and HTTP, so it’s fair that the move to a safer Internet should start with forcing webmasters to use https.

“Warnings” interception of TLS will appear in Chrome 64

Starting with the version of Chrome 64, the browser will notify users about the interception of TLS, which occurs most often during MitM (Man-in-the-middle) attacks. The release of the version of Chrome 64 was scheduled for December 5, 2017.

As we noted earlier, Google, Mozilla, Microsoft and other major browser developers are actively promoting HTTPS. Websites that switch to HTTPS receive certain bonuses in the form of a better ranking in search results, as well as a higher level of trust from visitors.

When is TLS intercepted?

One of the common reasons for intercepting TLS is man-in-the-middle attacks. In this case, the attacker becomes an intermediate link in the interaction between the server and the user. Through the attacker, all the data passes, which he can intercept and learn by manipulating the information received in any way suitable for himself.

Often the user does not even know that there was a MitM attack and all his data is now passed through the “filter” of the attacker. Google’s decision to add notifications of TLS interception will allow site administrators to quickly fix existing security problems and take appropriate measures.

Another reason for intercepting TLS is in fact also MitM, but with a positive color. In this case, the interception of traffic is carried out for the purpose of checking it for the presence of malicious requests and viruses. This practice is assessed ambiguously, and therefore it is best to avoid it. In this case, Chrome will not display any warnings.

How to enable TLS interception warnings in Canary, dev versions of Chrome

You can enable TLS interception warnings right now if you use the dev version of Chrome called Canary. This is done as follows:

In the browser, select Properties.

In the Target field, enter the following: “-enable-features = MITMSoftwareInterstitial”.

Save the changes.

Be sure to subscribe to our newsletter in order to keep abreast of all the latest news from the world of SSL and cybersecurity! Buy from us trusted SSL certificates, which will never cause any problems with the sites.